Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help on SystemTime format and SystemTime stats
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on SystemTime format and SystemTime stats
jip31
Motivator
03-25-2019
06:27 AM
Hi
I use the search below but SystemTime doesnt return results
SystemTime format is like this : '2019-03-25T03:49:42.458421900Z'
What is the issue please?
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%9Q%Z"), "%y-%m-%d %H:%M")
| table host SystemTime
I also want to stats in a table the latest SystemTime for EventCode=6005 and the latest SystemTime for EventCode=6006)
Something like this :
| stats latest(6005) as LastLogon, latest(6006) as LastReboot by host
| sort -LastLogon -LastReboot
Could you help me please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-25-2019
07:10 AM
When you run below query, does the value shown in the table has single quotes in them?
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| table host SystemTime
For your second requirement, try like this
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime | rename "6005" as LastLogon "6006" as LastReboot
| sort -LastLogon -LastReboot
Update - working solution for time conversion
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M")
| table host SystemTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-27-2019
04:29 AM
yes there is single quote
I have changed it in my eval but it doesnt works....
Thanks for the second requirement its good
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-27-2019
09:22 AM
Give this a try (single quotes are added to strptime function time format)
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M")
| table host SystemTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-27-2019
11:56 PM
I dont know why but i cant accept your answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-28-2019
07:27 AM
I converted my comments to answer now. You should be able to close it now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-27-2019
10:58 PM
perfect it works!! thanks
Get Updates on the Splunk Community!
ATTENTION!! We’re MOVING (not really)
Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...
Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions
Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
